Hi,
well I recoded a windows dll from XP (changed some desktop appearance things). But how can I replace the original windows dll with my new one???
Although there is no autoexec.bat in XP I'm sure there is some batch file that gets started when xp is booting. Does anyone know!?
Dominik
Posted on 2004-10-17 09:26:29 by Dom
Try replacer, its worked well for me in the past.
Posted on 2004-10-17 09:55:08 by Eóin
in this case is SFP (Systme File Protection) (or SFC) the magic keyword. it is the component that protects system files. and it can be turned off, using undocumented hacks and other nasty stuff. search on the the RCE board for SFC and you'll be answered.
Posted on 2004-10-17 10:16:42 by lifewire
Nice tool....it works...but I would like to know how the replacement is done.
As far as I could see the replacer creates a temporary executeable .tmp and adds it to:
HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations

I would like to know how to use this reg-key on my own. I found a description that says both the system file and the replacement file should be set into this reg-key. But it does not work. Does anyone know something about the usage of that reg-key!?

Lifewire: Where can i find the rce board?
Dominik
Posted on 2004-10-17 10:17:10 by Dom
by the way to disable windows file protection on xp sp1 (works only on sp1):

1. in windows\system32\sfc_os.dll (same thing in \dllcache) at offset 0x0000e3bb nop the 0xc68b word.
2. reboot
3. then you should be able to disable it by changing value SfcDisable key (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon) to 0xffffff9d
Posted on 2004-10-17 12:02:53 by arafel
here, Dom:
http://www.woodmann.net/forum/showthread.php?t=6292&highlight=sfc

Good luck.
Posted on 2004-10-17 12:16:36 by lifewire
Is there no way in just writing some batch cmds to a file and windows itself replaces the file on the next startup? I thought about Partition Magic....I suppose it uses such a batch file. When it was adviced to change a partition, on the next bootup this is done even before the desktop gets loaded.
Posted on 2004-10-19 08:23:54 by Dom
In the old times I used MoveFileEx with dwFlags=MOVEFILE_DELAY_UNTIL_REBOOT, but I can't say if that will work on NT5 too, last time I used it was... well, long ago :)
Posted on 2004-10-19 09:33:46 by lifewire
Lifewire, it does work on WinXP after setting the reg dword
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AllowProtectedRenames to "1". After the reboot this regvalue gets deleted, so you have to set it up every time.
Thanks alot....
Dominik
Posted on 2004-10-19 10:35:55 by Dom
Download M$ Installer 2.0, it's creates a .MSI to do the job for you.

Regards, P1 8)
Posted on 2004-10-19 16:26:58 by Pone
if i remember correctly, there is an undocummented ordinal2 function in sfc.dll, which disables SFP. find it on @stake's site, or ratter's SFP article. or just pop open ida and mess around.
Posted on 2004-10-19 17:57:38 by Drocon
if i remember correctly, there is an undocummented ordinal2 function in sfc.dll, which disables SFP. find it on @stake's site, or ratter's SFP article. or just pop open ida and mess around.


that way is mentioned on the thread on the RCE board I pasted.
Posted on 2004-10-20 03:45:50 by lifewire
thank you guys,...by the way, drocon, its ordinal 5 :)
I finally did it with the MoveFileEx API.
Dominik
Posted on 2004-10-20 12:16:06 by Dom
i wonder how do u change the system path in the XP!!!
i mean how to change the path in the command window to what i want not the default one!!!

i tried the environment variables!!! but its not working!!!1
Posted on 2004-10-22 08:54:38 by b
I think changing the system path is only possible during Installation....
In order to change the path that is displayed when running cmd.exe you need some windows tricks....or modify the cmd.exe.....
Dominik
Posted on 2004-10-22 09:38:50 by Dom
i know it's possible for win 98 & win 2000

i think my problem is in the system variables,
i think in the other virgins they have only the user variables!!
Posted on 2004-10-22 10:57:27 by b